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Abstract 

We  show  that  only  languages  in  BPP  have  public-coin  black-box  zero-knowledge  protocols 
that  are  secure  under  an  unbounded  (polynomial)  number  of  parallel  repetitions.  This  result 
holds  both  in  the  plain  model  (without  any  set-up)  and  in  the  Bare  Public-Key  Model  (where  the 
prover  and  the  verifier  have  registered  public  keys).  We  complement  this  result  by  constructing 
a  public-coin  black-box  zero-knowledge  proof  based  on  one-way  functions  that  remains  secure 
under  any  a-priori  bounded  number  of  concurrent  executions. 

A  key  step  (of  independent  interest)  in  the  analysis  of  our  lower  bound  shows  that  any  public- 
coin  protocol,  when  repeated  sufficiently  in  parallel,  satisfies  a  notion  of  “resettable  soundness” 
if  the  verifier  picks  its  random  coins  using  a  pseudorandom  function. 
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1  Introduction 


Zero-knowledge  (ZK)  interactive  protocols  [GMR89]  are  paradoxical  constructs  that  allow  one  player 
P  (called  the  prover)  to  convince  another  player  V  (called  the  verifier)  of  the  validity  of  a  mathemat¬ 
ical  statement  ifL,  while  providing  zero  additional  knowledge  to  the  verifier.  This  is  formalized 
by  requiring  that  the  view  of  an  adversarial  verifier,  V* .  during  an  interaction  with  the  prover  P, 
can  be  efficiently  reconstructed  by  a  so-called  simulator,  S.  A  particularly  attractive  notion  of  zero- 
knowledge,  called  black-box  zero-knowledge  [G094],  requires  the  existence  of  a  universal  simulator 
S  that  can  generate  the  view  of  any  V*  when  given  black-box  access  to  V*. 

A  fundamental  question  regarding  zero-knowledge  protocols  is  whether  their  composition  re¬ 
mains  zero-knowledge.  Three  basic  notions  of  compositions  are  sequential  composition  [GMR89, 
G094],  parallel  composition  [FS90,  GK96b]  and  concurrent  composition  [FS90,  DNS04],  In  a  se¬ 
quential  composition,  the  players  sequentially  run  many  instances  of  a  zero-knowledge  protocol,  one 
after  the  other.  In  a  parallel  composition,  the  instances  instead  proceed  in  parallel,  at  the  same 
pace.  Finally,  in  a  concurrent  composition,  messages  from  different  instances  of  the  protocol  may 
be  arbitrarily  interleaved. 

While  the  definition  of  ZK  is  closed  under  sequential  composition  [G094],  this  no  longer  holds 
for  parallel  composition  [GK96b]  (and  thus  not  for  concurrent  composition  either).  However,  there 
are  zero-knowledge  protocols  for  all  of  NP  that  have  been  demonstrated  to  be  secure  under  both 
parallel  and  concurrent  composition.  For  the  case  of  parallel  composition,  constant-round  protocols 
are  known  [Gol02,  FS90,  GK96a].  For  the  case  of  concurrent  composition,  a  series  of  work  [RK99, 
KP01,  PRS02]  show  feasibility  of  0(log  n)-round  black-box  ZK  protocols;  furthermore,  this  round- 
complexity  is  essentially  optimal  with  respect  to  black-box  ZK  [KPR98,  RosOO,  CKPR01]. 

Whereas  the  original  ZK  protocols  of  [GMR89,  GMW91,  Blu86]  are  public-coin — i.e.,  the  ver¬ 
ifier’s  messages  are  its  random  coin-tosses — all  of  the  aforementioned  parallel  or  concurrent  ZK 
protocols  use  private  coins.  Indeed,  in  their  seminal  paper,  Goldreich  and  Krawczyk  [GI\96b]  show 
that  only  languages  in  BPP  have  constant-round  public-coin  (stand-alone)  black-box  ZK  protocols 
with  negligible  soundness  error,  let  alone  the  question  of  parallel  composition.  In  particular,  their 
results  imply  that  (unless  NP  C  BPP)  the  constant-round  ZK  protocols  of  e.g.,  [GMW91,  Blu86] 
with  constant  soundness  error  cannot  be  black-box  ZK  under  parallel  repetition  (as  this  would  yield 
a  constant-round  black-box  ZK  protocol  with  negligible  soundness  error). 

A  natural  question  is  whether  the  constant-round  restriction  imposed  by  the  [GIv96b]  result  is 
necessary.  Namely, 

Is  there  a  (possibly  super- constant  round)  public-coin  black-box  ZK  protocol  that  is  secure 
under  parallel  (or  even  concurrent)  composition? 

1.1  Our  Results 

In  this  work,  we  provide  a  negative  answer  to  the  above  question.  Namely,  we  show  that  only 
languages  in  BPP  have  public-coin  black-box  ZK  protocols  that  remain  secure  under  parallel  (and 
thus  also  concurrent)  composition,  regardless  of  round  complexity. 

Theorem  (Informal).  If  L  has  a  public-coin  argument  that  is  black-box  ZK  and  secure  under  parallel 
composition,  then  L  £  BPP. 

In  fact,  our  result  establishes  that  any  public-coin,  black-box  ZK  protocol  for  a  non-trivial  language 
that  remains  secure  under  m  parallel  executions  must  have  H(m1//2)  rounds. 

On  the  positive  side  we  show  that  every  language  in  NP  has  a  public-coin  black-box  ZK  proof 
that  remains  secure  under  an  a-priori  bounded  number  of  concurrent  (and  thus  parallel)  executions. 
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Theorem  (Informal).  Assume  the  existence  of  one-way  functions.  Then  for  every  polynomial  m, 
there  exists  an  0(m3) -round  public-coin  black-box  ZK  for  NP  that  is  secure  under  m-bounded  con¬ 
current  composition. 

An  earlier  result  of  Barak  [BarOl]  also  constructs  public-coin  bounded-concurrent  ZK  protocols  that 
additionally  have  constant  rounds.  However,  Barak’s  construction  is  an  argument  (rather  than  a 
proof),  assumes  collision-resistant  hash-function,  and  uses  non-black-box  simulation. 

Finally,  we  briefly  turn  to  compositions  in  models  with  trusted  set-up.  Canetti,  Goldreich, 
Goldwasser  and  Micali  [CGGMOO]  show  that  in  the  Bare  Public-Key  (BPK)  Model,  where  each 
player  has  a  registered  public- key,  constant- round  black-box  concurrent  ZK  protocols  exist  for  all  of 
NP  (whereas  in  the  plain  model  without  set-up,  as  mentioned  earlier,  H(logn)  rounds  are  necessary 
for  non-trivial  languages  [CKPR01]).  We  show  that  for  the  case  of  public-coin  protocols,  the  BPK 
setup  does  not  help  with  composition. 

Theorem  (Informal).  If  L  has  a  public-coin  argument  in  the  BPK  model  that  is  black-box  parallel 
ZK,  then  L  E  BPP. 

We  remark  that  our  lower  bound  does  not  extend  to  more  elaborate  public-key  setups.  For 
example,  Damgard  [DamOO]  shows  that  a  public  key  infrastructure  with  a  certification  authority 
can  be  used  to  construct  constant-round  public-coin  arguments  that  are  black-box  concurrent  zero- 
knowledge. 

As  we  will  see,  some  of  the  intermediate  ideas  in  our  work  are  closely  related  to  the  notion  of 
resettable  soundness  [BGGL01].  Very  informally,  we  establish  that  parallel  repetition  of  public-coin 
protocols  not  only  reduces  the  soundness  error  [PV07,  HPWP10],  but  also  qualitatively  strengthens 
the  soundness — roughly  speaking,  the  new  protocols  will  be  secure  under  a  “resetting”  attack. 

1.2  Techniques 

To  describe  our  techniques,  first  recall  the  Goldreich-Krawczyk  [GK96b]  lower  bound  that  only 
languages  in  BPP  have  0(l)-round  public-coin  black-box  ZK  protocols.  Let  n  =  ( P ,  V)  be  a  public- 
coin  black-box  ZK  protocol  for  a  language  L,  and  consider  an  adversarial  verifier  V*  that,  instead 
of  picking  its  messages  at  random,  computes  them  by  applying  a  hash  function  to  the  current 
transcript.  [GK96b]  shows  that  any  black-box  simulator  S,  together  with  V*,  can  decide  L:  on 
input  x ,  simply  run  Sv  (x)  and  accept  if  S  outputs  an  accepting  view  of  V* .  Using  the  zero- 
knowledge  property  of  n,  if  x  £  L,  then  Sv  (x)  will  output  an  accepting  view  of  V*  (because  an 
honest  prover  would  convince  V*).  The  crux  of  their  proof  is  then  to  show  that  if  x  (f  L,  then 

(x)  will  not  output  an  accepting  view.  If  S  does  not  rewind  V*,  this  would  directly  follow  from 
the  soundness  of  n.  However,  S  may  rewind  V* ,  and  may  only  convince  V*  in  one  of  its  rewinding 
“threads”.  Nonetheless,  [GK96b]  manages  to  show  that  if  S,  by  rewinding  or  “resetting”  V* ,  manages 
to  trick  V*  into  accepting  x  L,  then  we  can  construct  a  machine  T  (based  on  S)  that  manages  to 
convince  an  external  verifier  V  (without  rewinding  V),  contradicting  the  soundness  of  the  protocol. 
In  other  words,  they  show  that  any  0(l)-round  public-coin  protocol  is  sound  under  a  resetting- 
attack  [CGGMOO,  BGGL01],  where  the  statement  is  fixed  and  the  prover  (simulator)  running  time 
is  bounded  by  a  fixed  polynomial.  Analogously,  to  prove  our  results,  we  show  that  any  public-coin 
interactive  protocol,  repeated  sufficiently  many  times  in  parallel,  (and  again  letting  the  verifier  pick 
its  messages  by  applying  a  hash  function  to  the  transcript),  is  sound  under  a  resetting-attack. 

Previous  reductions.  The  work  of  [GK96b],  as  well  as  all  subsequent  black-box  lower  bounds  (e.g., 
[KPR98,  RosOO,  CKPR01,  BL02,  Ivat08,  HRS09])  relies  on  the  following  approach  for  constructing 
the  stand-alone  (non-resetting)  prover  T,  given  the  rewinding  simulator  S.  T  incorporates  S  and 
internally  emulates  an  execution  of  S  with  an  internally  emulated  verifier  (which  of  course  can  be 
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rewound).  During  the  emulation,  T  appropriately  picks  some  messages  sent  by  S  to  the  internal 
verifier,  and  forwards  them  to  an  external  verifier  (and  also  forwards  back  the  responses).  The  crux 
of  the  various  lower  bounds  lies  in  choosing  the  externally  forwarded  messages  so  that  the  external 
verifier  is  convinced.  The  difficulty  of  this  task  stems  from  the  fact  that,  at  the  time  of  deciding 
whether  to  externally  forward  a  message  or  not,  T  does  not  yet  know  if  S  will  eventually  choose  this 
message  to  “continue”  its  simulation  (and  use  it  as  part  of  the  output  view),  or  treat  this  message 
simply  as  a  “rewinding”  (used  to  collect  information) . 

For  the  case  of  constant-round  protocols,  [GK96b]  shows  that  externally  forwarding  a  random 
selection  of  messages  works;  if  the  protocol  has  d  rounds,  this  random  selection  is  “correct”  with 
probability  at  least  1  /qd,  where  q  is  the  number  of  queries  made  by  the  simulator  to  the  verifier. 
This  approach  of  simply  running  the  simulator  S  “straight-line”  seems  hard  to  extend  to  protocols 
with  a  polynomial  number  of  rounds;  the  number  of  possible  choices  for  messages  to  forward  to  the 
external  verifier  becomes  too  large.1 

Our  reduction.  In  our  work,  we  are  given  a  zero-knowledge  protocol  II  =  (P,  V)  for  a  language 
L  that  is  secure  under  parallel  repetitions.  Building  on  the  same  framework  as  [GK96b],  we  let 
Ym*  be  a  verifier  that  starts  m  parallel  sessions  and  generates  its  messages  using  hash- functions, 
let  S  be  the  black-box  zero-knowledge  simulator,  and  use  S'1  m  to  decide  L.  As  we  will  see,  we 
choose  the  number  of  parallel  sessions,  m,  as  a  (polynomial)  function  of  the  number  of  rounds  in 
II.  Following  the  same  argument,  it  is  enough  to  show  that  on  input  x  ^  L,  S  cannot  produce  an 
accepting  view  of  Vm*.  Because  we  may  view  S  as  a  rewinding/resetting  prover,  it  is  equivalent  to 
show  that  protocol  (Prn,  Vrn*)  is  sound  under  resetting  attacks.  In  the  rest  of  this  section  we  omit 
the  common  input  x. 

The  crux  of  our  work  is  then  the  following  reduction:  Given  S,  a  resetting  cheating  prover  of 
the  parallelized  protocol  that  convinces  Vm*,  we  show  how  to  construct  T,  a  straight-line  (non¬ 
rewinding)  cheating  prover  of  the  original  single  session  protocol  that  convinces  V ;  this  contradicts 
the  soundness  of  protocol  II.  To  further  clarify  the  difference  between  S  and  T,  let  us  compare 
the  transcripts  of  an  interaction  between  T  and  V,  and  of  an  interaction  between  S  and  ym* . 
A  transcript  of  the  interaction  between  T  and  V  is  simply  a  transcript  of  a  single  session  of  the 
protocol  II;  each  query  from  T  to  V  is  simply  a  prefix  of  the  transcript  that  extends  the  previous 
query  by  one  round  of  the  protocol.  A  transcript  of  the  interaction  between  S  and  ym*  can  be 
much  longer  due  to  rewinds;  furthermore,  each  query  from  S  to  ym*  is  a  prefix  of  a  transcript  of 
the  parallelized  protocol. 

On  a  high  level,  T  internally  runs  S  with  an  internally  simulated  Dm*,  and  externally  interacts 
with  an  external  verifier  V.  In  order  to  take  advantage  of  S  to  convince  the  external  verifier  V .  T 
“embeds”  the  interaction  with  V  into  the  interaction  between  S  and  ym* .  This  “embedding”  is  not 
straightforward  for  the  following  two  reasons.  Firstly,  just  as  in  [GK96b],  the  external  verifier  V 
cannot  be  reset,  whereas  S  may  reset  ym*  many  times  (i.e. ,  S  can  make  many  more  queries  than 
the  number  of  rounds  of  the  protocol);  as  we  will  explain  shortly,  T  carefully  picks  a  subset  of  the 
rewindings  to  forward  externally.  Secondly,  recall  that  V  is  a  single  session  verifier,  whereas  ym* 
is  a  m-session  parallel  verifier  (looking  forward,  the  reason  we  let  Fbea  single  session  verifier  is  to 
enable  T  to  appropriately  pick  which  rewindings  to  forward).  Therefore,  T  embeds  the  interaction 
with  V  only  into  a  single  session  i  of  the  m  parallel  sessions  in  the  interaction  between  S  and  f/m*; 
in  fact,  session  i  is  picked  uniformly  random  at  the  beginning  and  fixed  throughout  the  execution  of 

1For  the  case  of  sub-logarithmic-round  protocols,  Canetti,  Kilian,  Petrank  and  Rosen  [CKPR01]  show  that  when 
given  the  freedom  to  construct  a  concurrent  adversarial  verifier  that  can  schedule  messages  in  an  arbitrary  way,  there 
exists  some  particular  scheduling  which  makes  it  easy  to  identify  appropriate  messages  to  forward  externally.  Their 
work  has  the  advantage  that  it  applies  to  private-coin  zero- knowledge  protocols,  but  is  not  applicable  in  our  setting 
due  to  the  use  of  concurrent  adversarial  verifiers,  and  being  limited  to  sub-logarithmic-round  protocols.  Incidentally, 
they  also  run  the  simulator  S  in  a  straight-line  manner. 
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the  reduction  (looking  forward  again,  the  fact  that  session  i  is  picked  uniformly  will  be  important 
for  our  analysis). 

To  summarize,  T  only  externally  forwards  a  subset  of  the  S  queries,  and  only  forwards  component 
i  (corresponding  to  session  i)  of  those  queries.  T  then  forwards  back  external  responses  from  V  as 
component  i  of  the  same  subset  of  ym*  responses;  all  other  Vm*  responses  are  picked  uniformly  at 
random  by  T  internally  (this  includes  all  except  component  i  in  the  responses  to  the  selected  subset 
of  S  queries,  and  all  components  of  the  remaining  responses).  Here  we  rely  on  the  fact  that  n  is 
public-coin  in  order  for  T  to  generate  Vm*  responses  in  the  forwarded  session,  despite  the  fact  that 
other  verifier  responses  in  the  forwarded  session  may  be  externally  generated  by  V. 

Recall  that  the  difficulty  of  the  reduction  comes  from  choosing  which  S  queries  to  forward 
externally.  As  remarked  earlier,  the  approach  of  running  S  in  a  straight-line  manner  seems  unlikely 
to  work  for  polynomial- round  protocols.  Instead,  we  let  T  rewind  S  (while  S  itself  believes  it 
is  rewinding  the  internally  simulated  ym*/  Our  strategy  is  twofold.  Firstly,  T  only  externally 
forwards  (component  i  of)  queries  that  have  a  good  chance  of  being  included  by  S  in  its  output  (by 
assumption,  S  outputs  a  sequence  of  queries  that  convinces  Vm *);  because  the  protocol  is  public- 
coin,  we  can  estimate  this  chance  by  doing  internal  test-runs.  Secondly,  once  we  have  forwarded 
(component  i  of)  a  query,  we  “force”  S  to  include  the  query  in  its  output  by  repeatedly  rewinding 
S  while  re-picking  the  internally  generated  Vm*  messages  (thus  skewing  the  distribution  of  the 
internally  generated  ym*  messages). 

To  analyze  T,  we  need  to  show  that  S  would  successfully  convince  the  internally  simulated  f/m*, 
even  though  T  has  embedded  the  external  interaction  with  V  into  the  interaction  between  S  and 
yin*.  N0te  that  the  success  probability  of  S  depends  only  on  two  inputs:  the  internally  simulated 
ym*  messages,  and  the  embedded  external  V  messages  (these  can  be  found  only  in  the  forwarded 
session  i) .  These  two  types  of  messages  differ  in  that  the  internally  simulated  ym*  messages  are 
picked  by  T,  through  the  help  of  test-runs,  to  be  “good”,  while  the  external  V  messages  are  just 
uniform  samples.  We  first  show  that  if  T  is  also  allowed  to  rewind  the  external  verifier  V  (which  we 
cannot),  ensuring  that  internal  Vm*  messages  and  external  V  responses  are  both  “good”,  then  T  only 
needs  to  perform  polynomially  many  rewinds  in  order  for  S  to  successfully  convince  ym*.  Next,  to 
remove  the  assumption  of  rewinding  V,  we  use  a  probabilistic  lemma  due  to  Raz  [Raz98],  originally 
used  to  prove  that  parallel  repetition  reduces  the  soundness  error  in  two-prover  games.  We  show 
that  if  there  are  enough  parallel  sessions,  then  not  being  able  to  pick  “good”  verifier  responses  in 
just  one  random  session  only  introduces  a  small  statistical  error;  since  session  i  is  picked  uniformly 
at  random  at  the  beginning,  this  suffices  for  bounding  the  success  probability  of  T. 

ZK  lower  bounds  and  soundness  amplification.  As  an  independent  contribution,  we  be¬ 
lieve  that  our  techniques  elucidate  an  intriguing  (and  useful)  connection  between  lower  bounds 
for  black-box  ZK,  and  feasibility  results  for  soundness/hardness  amplification.  Our  techniques 
share  many  similarities  with  works  on  soundness  amplification  under  parallel  repetitions,  such  as 
[BIN97,  PV07,  IJK07],  and  especially  [HPWP10];  in  particular,  our  use  of  Raz’s  lemma  is  simi¬ 
lar  to  its  use  in  [HPWP10].  Whereas  those  works  show  how  to  transform  a  parallel  prover  with 
“small”  success  probability  into  a  stand-alone  prover  with  “high”  success  probability,  we  have  adapted 
their  techniques  to  transform  a  rewinding /resetting  parallel  prover  into  a  non-rewinding  stand-alone 
prover. 

As  a  further  example  of  this  connection,  we  extend  our  lower  bound  to  the  BPIv  model  by 
relying  again  on  techniques  developed  for  soundness  amplification.  In  the  BPK  model,  we  have  the 
additional  problem  that  the  external  verifier  can  decide  whether  to  accept  or  reject  based  on  its 
secret  key,  which  T  does  not  know.  Consequently,  T  cannot  determine  whether  the  external  verifier 
would  accept  or  reject  when  doing  test-runs,  which  is  crucial  for  deciding  which  messages  to  forward 
externally.  By  relying  on  the  “trust-halving”  technique  from  [IW97,  BIN97],  and  its  refinement  in 
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[HPWP10],  we  show  how  T  can  make  “educated  guesses”  on  whether  the  external  verifier  accepts 
or  not. 

Extension  to  resettable  soundness.  More  generally,  the  above  techniques  show  how  to  transform 
a  public-coin  protocol  so  that  it  is  sound  under  a  weak  form  of  resetting  attack:  where  the  statement 
is  fixed,  and  the  number  of  resets  is  a-priori  bounded.  Simply  take  a  public-coin  protocol,  sufficiently 
repeat  it  in  parallel,  and  let  the  verifier  generate  its  messages  by  applying  hash-functions  to  the 
current  transcript.  If  the  verifier  uses  pseudo-random  functions  instead  of  hash- functions  as  in 
[BGGL01],  then  we  may  remove  the  a-priori  bound  on  the  number  of  resets.  Additionally,  we  show 
that  if  the  original  protocol  is  also  a  proof  of  knowledge  [GMR89,  FS90,  BG02],  then  the  parallelized 
version  satisfies  the  original  (strongest)  notion  of  resettable-soundness  from  [BGGL01],  where  the 
adversarial  prover  can  also  change  the  statement  between  resets.  [BGGL01]  showed  a  similar  type 
of  result  for  0(l)-round  public-coin  proofs  of  knowledge. 

Outline.  We  give  some  preliminaries  in  Sect.  2,  and  jump  into  our  impossibility  results  in  Sect.  3 
(standard  model)  and  Sect.  4  (bare-public- key  model).  We  then  present  our  public-coin  bounded- 
concurrent  zero-knowledge  protocol  in  Sect.  5.  Details  of  our  application  to  resettable  soundness 
can  be  found  in  Sect.  6. 

2  Preliminaries 

We  assume  familiarity  with  indistinguishability,  interactive  proofs  and  commitments.  \x\  denotes 
the  length  of  a  (bit)  string  x,  and  [n]  denotes  the  set  {1, . . . ,  n}. 

2.1  Interactive  Protocols 

An  interactive  protocol  II  is  a  pair  of  interactive  Turing  machines,  ( P ,  V) .  where  V  is  probabilistic 
polynomial  time  (PPT).  P  is  called  the  prover,  while  V  is  called  the  verifier.  {P,V)  (x)  denotes 
the  random  variable  (over  the  randomness  of  P  and  V)  representing  P’s  output  at  the  end  of  the 
interaction  on  common  input  x.  If  additionally  V  receives  auxiliary  input  z,  we  write  (P(x),  V (x,  z)) 
to  denote  P’s  output.  We  assume  WLOG  that  II  starts  with  a  verifier  message  and  ends  with  a 
prover  message,  and  say  II  has  k  rounds  if  the  prover  and  verifier  each  sends  k  messages  alternately. 
The  notation  (v\,pi, . . .)  specifies  a  full  or  partial  transcript  of  II  where  v  denotes  verifier  messages 
and  p  denotes  prover  messages.  II  is  public-coin  if  the  verifier  messages  are  just  disjoint  segments 
of  P’s  random  tape. 

We  may  repeat  an  interactive  proof  in  parallel.  Let  IT”  =  (Pm,  Vm)  be  II  repeated  in  m 
parallel  sessions;  that  is,  each  prover  and  verifier  message  in  IIm  is  just  concatenation  of  m  copies 
of  the  corresponding  message  in  II.  Vrn  completes  II  in  all  m  sessions  (or  abort  in  all  sessions),  and 
accepts  if  and  only  if  all  m  sessions  are  accepted  by  V. 

2.2  Zero  Knowledge  Protocols 

In  the  setting  of  zero  knowledge,  we  consider  an  adversarial  verifier  that  attempts  to  “gain  knowl¬ 
edge”  by  interacting  with  an  honest  prover.  An  m-session  concurrent  adversarial  verifier  V*  is 
a  probabilistic  polynomial  time  machine  that,  on  common  input  x  and  auxiliary  input  z,  interacts 
with  m(|a:|)  independent  copies  of  P  concurrently  (called  sessions);  the  traditional  stand-alone 
adversarial  verifier  is  simply  a  1-session  adversarial  verifier.  There  are  no  restrictions  on  how  V* 
schedules  the  messages  among  the  different  sessions,  and  V*  may  choose  to  abort  some  sessions  but 
not  others.  Let  Viewy*  (x,  z )  be  the  random  variable  that  denotes  the  view  of  V*  in  an  interaction 
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with  P  (this  includes  the  random  coins  of  V*  and  the  messages  received  by  V*).  Note  that  for 
public-coin  protocols,  the  view  of  an  honest  verifier  is  just  the  transcript  of  the  interaction. 

A  black-box  simulator  S  is  a  probabilistic  polynomial  time  machine  that  is  given  black-box 
access  to  V*  (written  as  S'  =  Sv') .  Formally,  S  fixes  the  random  coins  r  of  V*  a  priori,  and  S  is 
allowed  to  specify  a  valid  partial  transcript  r  =  (v\,pi, . . .  ,Pi)  of  (P,V*),  and  query  V*  for  the 
next  verifier  message  fj+i-  Here,  r  is  valid  if  it  is  consistent  with  V*,  i.e.,  each  verifier  message 
Vj  in  t  is  what  V*  would  have  responded  given  the  previous  prover  messages  pi, .  ■  ■  ,Pj- 1  and  the 
fixed  random  tape  r.  Note  that  S  is  allowed  to  “rewind”  V*  by  querying  V*  with  different  partial 
transcripts  that  shares  a  common  prefix. 

Intuitively,  an  interactive  proof  is  zero-knowledge  (ZK)  if  the  view  of  any  (stand-alone)  adver¬ 
sarial  verifier  V*  can  be  generated  by  a  simulator.  The  protocol  is  concurrent  ZK  if  the  view  of  any 
concurrent  adversarial  verifier  can  be  generated  as  well.  The  formal  definitions  follow. 

Definition  1  (Black-Box  Zero-Knowledge  [GMR89,  G094]).  Let  n  =  (P.  V)  be  an  interactive 
proof  (or  argument)  for  a  language  L.  n  is  black-box  zero-knowledge  if  there  exists  a  black-box 
simulator  S  such  that  for  every  common  input  x,  auxiliary  input  z  and  every  (stand-alone)  adversary 
V* ,  Sv* (x’zXx)  runs  in  time  polynomial  in  |x|,  and  the  ensembles  {Viewy*  (x,  z)}xeL, ze{o,i}*  aRd 
{S1*(x,z\x)}x£l  Z£{ o,n*  are  computationally  indistinguishable  as  a  function  of  |x|. 

Note  that  because  we  consider  black-box  simulation,  S  does  not  get  access  to  any  “internals”  of 
V*  such  as  its  auxiliary  input  z. 

Definition  2  (Black-Box  Concurrent  Zero-Knowledge  [DNS04]).  Let  n  =  (P,V)  be  an  interactive 
proof  (or  argument)  for  a  language  L.  n  is  black-box  concurrent  zero-knowledge  if  for  every 
polynomials  m,  there  exists  a  black-box  simulator  Sm  such  that  for  every  common  input  x,  auxil¬ 
iary  input  z  and  every  ?n-session  concurrent  adversary  V*,  Sm^X’~\x)  runs  in  time  polynomial  in 

|x|,  and  the  ensembles  {Viewy* (x,  2;)}a;eL,ze{o,i}*  aRd  {<Sm  ^X  Z\x)}xeL,ze{ 0,1}*  are  computationally 
indistinguishable  as  a  function  of  |a:|. 

We  also  consider  a  bounded  version  of  concurrent  zero-knowledge  where  the  order  of  quantifiers 
are  reversed  [BarOl]. 

Definition  3  (Black-Box  Bounded  Concurrent  Zero-Knowledge).  Let  n  =  (P.  V)  be  an  interactive 
proof  (or  argument)  for  a  language  L  and  let  m  be  a  polynomial,  n  is  black-box  m-bounded 
concurrent  zero-knowledge  if  there  exists  a  black-box  simulator  S  such  that  for  every  com¬ 
mon  input  x ,  auxiliary  input  z  and  every  m-session  concurrent  adversary  V*,  Sv*  ^X,z\x)  runs  in 
time  polynomial  in  |x|.  Furthermore,  it  holds  that  the  ensembles  {Viewy*  (x,  2)}a:eZ/,ze{o,i}*  and 
{Sir*(x,z\x)}x£L jZ£{o  u*  are  computationally  indistinguishable  as  a  function  of  |x|. 

2.3  Resettable-Soundness 

Informally,  given  a  protocol  n  =  ( P ,  V).  a  cheating  prover  P*  performing  a  resetting  attack  has 
the  power  to  reset  (i.e.,  rewind)  the  honest  resettable  verifier,  resulting  in  multiple  sessions  of  n. 
Furthermore,  in  all  these  sessions,  V  uses  the  same  random  tape  that  is  uniformly  chosen  before 
the  attack.  For  example,  a  black-box  zero-knowledge  simulator  is  a  valid  resetting  attack.  We  can 
consider  two  different  models  on  how  the  input  instances  are  chosen  for  each  session.  In  the  model  of 
resettable-soundness  as  defined  by  [BGGL01],  P*  can  adaptively  choose  different  input  instances 
for  each  session.  We  also  consider  the  model  where  P*  is  given  an  input  instance  that  must  be  used 
in  all  sessions  (similar  to  the  definition  of  resettable  zero-knowledge  by  [CGGMOO]);  we  call  this 
fixed-input  resettable-soundness. 
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Definition  4  (Resetting- Attack  [BGGL01,  Definition  3.1]).  A  resetting  attack  of  a  cheating 
prover  P*  on  a  resettable  verifier  V  is  defined  by  the  following  two-step  random  process,  indexed 
by  a  security  parameter  n: 

1.  Uniformly  select  and  fix  t  =  poly(ro)  random-tapes,  denoted  ri,...,rt,  for  V,  resulting  in 
deterministic  strategies  Vry  When  an  input  x  £  {0,  l}n  is  also  chosen,  we  call  Vr-(x)  an 
incarnation  of  V  (i.e.,  V  with  its  randomness  set  to  rj  and  common  input  set  fixed  to  x). 

2.  On  input  ln,  P*  is  allowed  to  interact  with  poly(n)  incarnations  of  V .  P*  chooses  each 
incarnation  (adaptively)  by  choosing  x  £  {0,  l}n  and  j  £  [f]  (these  choices  may  depend 
on  P*’ s  previous  interactions  with  other  incarnations  of  V).  P*  may  freely  switch  among 
interactions  with  different  incarnations  of  V .  and  may  rewind/reset  each  incarnation  of  V . 

We  further  define  two  variants  of  resetting  attacks.  In  a  fixed-input  resetting  attack,  the  cheating 
prover  P*  is  given  a  fixed  input  instance  x  to  use  in  all  sessions.  In  a  (/-query  resetting  attack, 
the  cheating  prover  P*  is  allowed  q  queries  total  for  verifier  messages  (summed  over  all  interactions 
among  the  different  incarnations  of  V). 

Remark.  We  have  chosen  the  “interleaving”  attack  model  instead  of  the  “non-interleaving”  attack 
model,  where  P*  must  finish  its  current  interaction  with  an  incarnation  of  V  completely,  before 
starting  another  interaction  (see  discussions  in  [CGGM00,  BGGL01]).  The  two  models  are  equiv¬ 
alent  as  shown  in  [CGGM00].  We  choose  the  “interleaving”  model  because  later  we  will  make  the 
assumption  that  P*  never  makes  the  same  query  twice  to  V .  The  notion  of  a  g-query  resetting 
attack  is  also  more  natural  in  the  “interleaving”  model. 

Definition  5  (Resettable-Soundness  [BGGL01,  Definition  3.1]).  Let  II  =  (. P ,  V)  be  a  pair  of  inter¬ 
active  machines  where  V  is  PPT.  We  say  II  is  a  resettably-sound  proof  for  a  language  L  (resp., 
resettably-sound  argument)  if  the  following  condition  holds: 

Resettable-Soundness:  For  every  resetting  attack  by  P*  (resp.,  polynomial-size  P*),  the  prob¬ 
ability  that  some  incarnation  Vr(x)  accepts  and  x  ^  L  is  negligible  in  n. 

We  say  II  is  a  g-query  fixed- input  resettably-sound  proof  (resp.,  argument)  for  a  language  L 
if  the  resettable-soundness  property  holds  with  respect  to  any  g-query  fixed-input  resetting  attack. 

3  Impossibility  of  Public-Coin  Black-Box  Parallel  ZK 

In  this  section  we  show  that  only  languages  in  BPP  have  public-coin  concurrent  zero-knowledge 
protocols.  We  actually  show  a  stronger  result:  Except  for  languages  in  BPP,  no  public-coin  protocol 
remains  black-box  zero-knowledge  when  repeated  in  parallel.  The  formal  theorems  are  stated  below, 
where  n  denotes  the  security  parameter  or  the  input  size. 

Theorem  1.  Suppose  language  L  has  a  k  =  poly (n) -round  public-coin  black-box  zero-knowledge 
proof  II  with  soundness  error  1/2.  If  m  >  klog2  n  and  Ylm  is  zero-knowledge,  then  L  £  BPP. 

Theorem  2.  Suppose  language  L  has  a  k  =  poly(n) -round  public-coin  black-box  zero-knowledge 
argument  II  with  soundness  error  1/2.  If  m  >  (k2  log  k)  log2  n  and  Hm  is  zero-knowledge,  then 

L  £  BPP. 

The  difference  between  Theorem  1  and  2  is  caused  by  the  difference  between  proofs  and  argu¬ 
ments.  While  the  two  theorems  differ  slightly  in  parameters,  their  proofs  differ  greatly.  We  remark 
that  our  theorems  trivially  hold  with  respect  to  “non-aborting”  verifiers  since  we  focus  only  on 
public-coin  protocols. 
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3.1  Reducing  to  Resettable  Soundness 

The  proofs  of  Theorem  1  and  2  begin  in  the  same  high-level  framework  as  that  of  [GK96b],  Suppose 
a  language  L  has  a  /c-round.  public-coin  ZK  protocol  II  =  (P.  V) .  and  IIm  is  zero-knowledge  with 
a  black-box  simulator  S  that  runs  in  time  nd.  To  show  that  L  G  BPP,  we  construct  a  “random¬ 
looking”  adversarial  verifier,  V*,  and  consider  the  following  decision  algorithm  D:  D(x )  runs  Sv*(x) 
to  generate  a  view  of  V*,  and  accepts  x  if  and  only  if  V*  accepts  given  the  generated  view  (which 
in  turn  occurs  if  and  only  if  the  honest  verifier  V  accepts  in  all  m  sessions  of  the  view). 

V*  is  actually  a  family  of  adversarial  verifiers  constructed  as  follows.  Let  H  be  a  family  of  hash 
functions  that  is  random  enough  compared  to  the  running  time  of  S;  formally,  H  should  be  nd- wise 
independent  (see  [GK96b,  CG89]).  Given  h  <—  H,  let  14*  be  the  verifier  that  when  queried  with 
transcript  r,  responds  (deterministically)  with  the  message  h[r).  We  write  14*  =  V to  mean  IT 
for  a  randomly  chosen  h.  i.e. ,  when  D  runs  Sln.  D  first  chooses  h  randomly  from  H  and  then  run 

sK 

We  make  two  easy  observations  about  Sv*  due  to  [GK96b],  First,  we  may  assume  that  whenever 
S  queries  V*  with  a  transcript  or  outputs  a  transcript  r,  it  first  queries  V*  with  all  the  prefixes  of 
r;  this  only  increases  the  running  time  of  S  polynomially.  Second,  we  may  assume  that  S  never 
queries  14*  with  the  same  transcript  twice  (instead  S  may  keep  a  table  of  answers).  Then  the  set 
of  all  responses  generated  by  V fj  is  identical  to  the  uniform  distribution  since  H  is  n^-independent 
and  S  makes  at  most  nd  queries  to  V*. 

We  need  to  show  that  decision  procedure  D  is  both  complete  and  sound.  Completeness  states 
that  if  x  6  L,  then  D  should  accept  x  with  probability  at  least  2/3.  This  easily  follows:  The 
output  of  Sv*(x)  is  indistinguishable  from  an  interaction  of  (Pm,V*)  since  S’  is  a  zero-knowledge 
simulator.  Furthermore,  ( Pm ,  V*)  is  identical  to  m  copies  of  ( P ,  14)  since  14*  produces  independent, 
truly  random  verifier  messages  (made  possible  since  14  is  public  coin).  Finally,  by  the  completeness 
property  of  II,  14  will  accept  x  with  probability  1  in  all  the  copies  of  (P,  V). 

Soundness  states  that  if  x  L,  then  D  should  accept  with  probability  at  most  1/3.  That  is, 
Sl*(x)  can  produce  an  accepting  view  of  14*  with  probability  at  most  1/3.  Equivalently,  we  may 
view  S'  as  a  nd-query  fixed-input  resettable  prover,  and  show  that  the  protocol  ( Pm ,  14*)  is  nrf-query 
fixed-input  resettable  sound.  Therefore,  Thm.  1  and  2  are  completed  by  the  following  lemmas, 
respectively: 

Lemma  3  (Resettably  Sound  Proofs).  Suppose  II  =  (P,  V)  is  a  k  =  poly (n)-round  public-coin 
black-box  zero-knowledge  proof  with  soundness  error  1/2.  If  m  >  klog2  n  and  H  is  a  family  of 
q  =  poly(n)-mse  independent  hash- functions,  then  (Pm,  Vff)  is  q- query  fixed- input  resettably- sound. 


Lemma  4  (Resettably  Sound  Arguments).  Suppose  II  =  (P,  V)  is  a  k  =  poly (n) -round  public-coin 
black-box  zero-knowledge  argument  with  soundness  error  1/2.  If  m  >  A;2log2n  and  H  is  a  family  of 
q  =  poly  (n) -wise  independent  hash- functions,  then  (Pm,  Vff)  is  q- query  fixed-input  resettably- sound. 


Remark.  Lemma  3  and  4  may  be  stronger  than  necessary  in  two  ways.  Firstly,  the  definition 
of  resettable  soundness  requires  negligible  soundness  error,  while  our  main  theorems  only  require 
soundness  error  1/3.  Secondly,  the  definition  of  resettable  soundness  allows  the  resetting  prover  to 
interact  with  polynomially  many  copies  of  V/*  with  uniformly  and  independently  chosen  h’s,  while 
the  zero-knowledge  simulator  only  interacts  with  one  copy  of  V/*  for  a  uniformly  chosen  h.  This 
second  difference  is  moot,  however,  because  it  is  trivial  to  reduce  a  resetting  attack  on  polynomially 
many  copies  of  V/*  (with  uniformly  and  independently  chosen  h's)  to  a  resetting  attack  on  a  single 
copy  of  V/*  (with  uniformly  chosen  h),  with  only  a  polynomial  loss  in  success  probability.  Therefore, 
in  our  proofs  for  Lemma  3  and  4,  we  only  consider  one  copy  of  Vf . 


3.2  Proof  of  Lemma  3:  Resettably-Sound  Proofs 

Using  the  soundness  amplification  theorem  of  [BM88],  protocol  (Pm,  V^-)  has  soundness  error  at 
most  l/2m.  Let  P*  be  a  g-query  fixed-input  resettable  prover.  Suppose  for  the  sake  of  contradiction 
that  for  some  input  x  ^  L,  accepts  a  resettable  interaction  with  P*  with  probability  1  /p(n)  for 
some  polynomial  p.  We  follow  the  strategy  of  [GK96b]  to  use  P*  in  order  to  break  the  soundness 
of  (Pm,V£). 

Whenever  P*  succeeds  in  breaking  resettable  soundness,  P*  would  have  queried  V*  for  k  verifier 
messages  that  together  form  an  accepting  transcript  of  IIm.  A  cheating  prover  of  IT”  can  therefore 
run  P*  internally,  guess  which  queries  of  P*  will  form  the  accepting  transcript,  and  forward  them  to 
an  outside  honest  verifier  of  IT".  Since  P*  queries  V*  for  at  most  g(n)  messages,  the  probability  of 
guessing  all  the  right  queries  is  at  least  q~k  (one  guess  for  each  round  of  II).  Note  that  forwarding 
queries  to  an  outside  honest  verifier  does  not  lower  the  success  probability  of  P*  since  V*  is  identical 
to  a  honest  verifier  (they  both  respond  with  random  messages).  Thus  this  cheating  prover,  using  P* . 
can  break  the  soundness  of  IIm  with  probability  at  least  (1  /p)q~k  =  2~e(fclogn).  Since  m  >  /clog2 n, 
we  have  2~m  <  2-®(fclosn)  and  reach  a  contradiction.  □ 

3.3  Proof  of  Lemma  4:  Resettably-Sound  Arguments 

We  turn  to  prove  our  main  result.  Again  we  argue  by  contradiction.  Suppose  P*  is  a  (/-query 
fixed-input  resettable  prover,  and  suppose  P*  convinces  on  some  input  x  ^  L  with  probability 
more  than  1  /p(n)  for  some  polynomial  p.  We  cannot  repeat  the  proof  of  Lemma  3  because  parallel 
repetitions  cannot  reduce  the  soundness  of  arguments  beyond  being  negligibly  small  Instead,  we 
directly  show  a  parallel  repetition  theorem  for  resettable  soundness;  that  is,  we  relate  the  resettable 
soundness  of  (. Pm ,  V^)  to  the  soundness  of  II. 

Proof  Outline.  The  rest  of  this  section  describes  how  to  construct  a  cheating  prover  T  for  II.  T 
runs  P*  internally  and  simulates  in  response  to  P*  queries.  Every  query  made  by  P*  is  answered 
by  a  uniformly  random  reply.  This  perfectly  simulates  V ^  since  H  is  q- wise  independent  and  P* 
makes  at  most  q  queries  (and  never  makes  the  same  query  twice);  at  the  end  of  the  gth  query,  T 
will  have  implicitly  defined  a  hash  function  h  G  H  and  simulated  VL.  and  P*  will  have  successfully 
broken  resettable  soundness  with  probability  l/p(n)  over  the  choice  of  these  random  replies  (i.e. , 
generated  an  accepting  view  of  V^). 

To  break  the  (stand-alone)  soundness  of  II,  T  chooses  one  of  the  m  parallel  sessions  and  forward 
a  complete  set  of  P*  queries  in  that  session  (one  for  each  round  of  II)  to  an  honest  outside  verifier  V. 
The  goal  is  to  forward  the  queries  on  which  P*  is  able  to  convince  V*  =  V £  in  protocol  Hm.  This 
is  challenging  because  P*  may  have  multiple  queries  for  each  round  of  II"1.  While  T  must  decide  to 
forward  a  query  or  not  at  the  time  of  the  query,  P*  can  wait  until  all  queries  are  completed  before 
choosing  which  queries  to  form  an  accepting  view  of  V*.  To  overcome  this  obstacle,  a  key  part  of 
our  analysis  relies  on  rewinding  P*  (note  that  at  the  same  time,  P*  believes  that  it  is  rewinding 
V*).  Our  strategy  is  twofold.  First  we  only  forward  queries  that  has  some  chance  (preferably  a 
good  chance)  of  being  included  a  convincing  transcript;  this  is  done  by  doing  test-runs  of  P* .  Once 
we  have  forwarded  a  query,  we  force  P*  to  use  the  query  to  convince  V*,  by  repeatedly  rewinding 

p* 

We  describe  a  transcript  of  P*  as  an  alternating  sequence  of  responses  from  T  and  queries  from 
P* .  [ti,  si,  t2,  S2,  ■  ■  ■  ],  where  each  P*-query  Sj  is  in  fact  a  partial  transcript  of  Um  that  ends  with  a 
prover  message,  awaiting  a  verifier  response.  To  avoid  confusion,  in  our  analysis,  r  and  (•)  denote 
views  of  V*  (transcripts  of  IT"),  while  h  and  [•]  denote  transcripts  of  P*  (transcripts  of  a  resettable 
execution  of  IT”).  The  goal  of  T  is  then  to  generate  a  full  transcript  h  of  P*  in  which  P*  generates  a 
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convincing  transcript  r  of  (Pm,  V*},  while  simultaneously  having  the  foresight  to  forward  (a  session 
of)  all  the  P*-queries  pertaining  to  r  to  the  external  verifier  V  (i.e. ,  all  P*-queries  in  h  that  are  a 
prefix  of  r).  If  so,  T  has  broken  the  soundness  of  II,  and  we  call  this  a  successful  simulation  of 
P* .  Note  that  because  the  randomness  of  P*  is  fixed,  the  behaviour  of  P*  is  entirely  determined 
by  the  T-responses  in  a  transcript. 

We  start  with  a  brief  description  of  T.  T  first  fixes  a  random  session  j  £  { 1, . . . ,  rn}  to  be 
forwarded.  Then  in  k  iterations  (one  for  each  round  of  II),  T  incrementally  fixes  a  transcript  of 
P*  and  forwards  a  _P*-query  to  V.  In  more  details,  at  the  beginning  of  iteration  i,  T  starts  with  a 
partial  transcript  ht  =  [i  i ,  s  i , . . . ,  of  P*  that  ends  with  se  =  Tt.  a  query  for  the  ith  message  of  II 
=  [],  the  empty  transcript).  Then: 

(T) 

Step  1.  T  forwards  session  j  of  the  query  t*  to  V .  and  receives  a  response  v\  . 

(7) 

Step  2.  Fixing  the  reply  v,  .  T  uniformly  samples  completions  of  the  partial  transcript  hi  until  a 
“successful”  completion  h  is  found;  specifically,  P*  on  transcript  h  should  produce  an  accepting 
view  of  V* .  t,  that  extends  the  query  r*.  To  move  onto  the  next  iteration,  let  Tj+i  be  the 
length  i  +  1  prefix  of  r,  and  let  hi+ 1  be  the  prefix  of  h  up  until  P*  makes  the  query  r,;+ 1 . 

During  the  analysis,  we  first  use  Raz’s  lemma  to  show  that  because  the  number  of  sessions  is 

(7) 

large  and  j  was  chosen  randomly,  we  may  pretend  v'-  is  nicely  chosen,  conditioned  on  success,  just 
like  the  other  sessions  (chosen  by  T  in  step  2).  We  also  show  that  T  rarely  aborts. 

Proof  Details.  We  now  introduce  a  series  of  hybrid  simulators  that  formally  defines  T;  all  our 
hybrids  generate  truly  random  responses  to  P*-queries  so  that  P*  cannot  distinguish  the  hybrids 
from  V* .  We  start  with  a  hypothetical  hybrid,  and  gradually  move  towards  T. 

Hybrid  1.  Our  first  hybrid  serves  to  introduce  the  general  idea  of  how  T  queries  P*  internally; 
T W  does  not  yet  forward  messages  to  the  external  verifier  V. 

T ^  builds  a  full  transcript  of  P*  in  k  +  1  iterations.  In  iteration  i,  T ^  fixes  an  P*-query  t*  for 
the  ith  message  of  IIm.  This  query  should  have  a  good  chance  of  being  used  by  P*  in  an  accepting 
transcript  of  Hm,  and  therefore  is  a  good  candidate  to  forward  externally.  Note  that  fixing  an 
P*-query  amounts  to  fixing  the  transcript  of  P*  up  until  the  desired  P*-query  is  made. 

We  now  describe  T ^  in  detail.  In  the  very  beginning,  T ^  fixes  a  random  session  j  £  {1, . . . ,  rn} ; 
eventually  the  3th  session  will  be  forwarded  externally.  After  that,  T ^  incrementally  grows  a 
transcript  of  P*  in  k  iterations.  During  the  iteration,  T- 1  -1  receives  a  partial  transcript  of  P* 
from  the  previous  iteration,  hi  =  [ti,  si, . . . ,  =  r*],  where  r*  is  a  P*-query  for  the  Ith  verifier 

message  of  IIm  (h\  =  [],  the  empty  transcript).  As  an  invariant  maintained  by  T^1),  it  should 
be  possible  to  extend  hi  into  a  full  transcript  of  P*  where  P*  outputs  an  accepting  view  of  V* 
containing  the  query  r*.  We  call  such  a  full  transcript  a  successful  completion  of  hi .  Each  iteration 
can  be  further  divided  into  two  steps: 

Step  1.  T W  does  not  forward  T{  to  the  external  V;  instead  it  simulates  a  response  as  follows.  T ^ 
randomly  samples  a  completion  of  hi  into  h,  conditioned  on  success  (always  possible  due  to 
the  invariant).  Let  vf*  be  the  response  to  r,  in  the  3th  session  in  the  successful  completion  h. 
Let  hi  be  a  partial  extension  of  the  partial  transcript  hi  where  the  session  J  response  to  Tj  is 
fixed  to  vf*  (but  the  responses  in  other  sessions  are  not  specified). 

Step  2.  T (b  now  samples  a  completion  of  hi  into  h  conditioned  on  success  (note  that  h  from  the 
previous  step  is  one  such  completion).  Under  transcript  h,  P*  would  output  an  accepting  view 
r  of  V*  (note  that  r  must  extend  Tt).  Let  Tj+i  be  the  P*  query  for  the  i  +  1st  verifier  message 
in  r  (note  that  1  extends  r*  by  definition  of  success).  then  sets  hi+ 1  to  be  the  prefix 
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V 


Figure  1:  In  order  to  interact  with  an  outside  honest  verifier  V,  the  reduction  T  internally  maintains 
a  partial  interaction  between  the  given  resetting  prover,  P* .  and  the  (supposedly  resettably-sound) 
veriher  V j).  The  figure  captures  T  after  Step  1  of  the  i  +  liberation,  and  illustrates  some  of  the 
notations  we  define  in  the  analysis. 

of  h  up  to  when  P*  makes  the  query  r*+i.  Note  that  the  invariant  holds  since  by  definition  h 
is  a  successful  completion  of  /q+i . 

Note  that  in  Step  2  of  the  final  (fcth)  iteration,  simply  outputs  h  as  a  full  transcript  of  P* 
(there  is  no  Tfc+i  to  fix).  Due  to  the  invariant,  T ^  always  produce  a  transcript  of  P* .  on  which  P* 
outputs  an  accepting  transcript  r.  Moreover,  the  prefixes  of  r  would  be  the  same  that 

were  “chosen”  by  T ^  in  each  iteration  (and  would  eventually  be  forwarded  to  the  external  verifier 
V  in  later  hybrids). 

Hybrid  2.  Our  second  hybrid,  T^2\  describes  a  way  to  efficiently  sample  successful  completions  in 
Step  2  of  each  iteration  (Step  1  will  be  replaced  with  the  external  verifier  and  is  left  alone  for  now). 
In  Step  2,  T ^  randomly  completes  the  given  partial  execution  (hi)  up  to  100k2pq  times,  until  a 
successful  completion  is  found.  If  none  of  the  completions  are  successful,  T ^  aborts.  Note  that 
conditioned  on  T not  aborting,  the  output  distribution  of  T ^  is  identical  to 

To  show  that  T ^  aborts  with  small  probability,  suppose  for  now  that  T ^  is  allowed  to  sample 
an  unbounded  number  of  completions.  Let  us  bound  the  expected  number  of  random  completions 
that  are  needed  to  sample  a  successful  one.  In  the  following  analysis  we  distinguish  between  two 
probability  spaces:  Prp[-]  is  used  to  measure  probabilities  over  a  single  execution  of  P* .  On  the 
other  hand,  Prpf-]  is  used  to  measure  probabilities  over  an  execution  of  T ^  (with  unbounded 
number  of  completions)  which  includes  rewinding  and  executing  P*  multiple  times. 

Let  Hl  and  Hi  be  the  set  of  possible  partial  transcripts  of  P*  that  is  given  to  T ^  in  Step  1  and 
Step  2  of  the  ith  iteration,  respectively.  Given  h  £  Ht  (or  Hi),  let  Prp[/i]  denote  the  probability 
that  a  transcript  of  P*  has  prefix  h,  and  let  Prp[/i]  denote  the  probability  that  is  given  h  in 
the  ith  iteration;  similarly,  Prp[-  |  h]  and  Prp[-  |  h]  are  probabilities  conditioned  on  these  events 
occurring.  Let  Ah  be  the  event  (over  the  P*  probability  space)  that  a  transcript  of  P*  has  prefix 
h  and  is  a  successful  completion  of  h\  as  a  special  case,  A  =  A®  is  just  the  event  that  P*  outputs 
an  accepting  transcript.  Also  let  Ri  be  the  random  variable  (over  the  T ^  probability  space)  that 
denotes  the  number  of  completions  performed  by  T1'2'1  in  step  2  of  iteration  i. 

First  we  give  a  claim.  Intuitively,  the  claim  says  that  the  probability  of  T (A  fixing  h  is  propor¬ 
tional  to  the  probability  of  successfully  completing  h]  the  normalizing  factor  is  simply  Prp[A],  the 
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probability  that  P*  produces  an  accepting  transcript. 

Claim  5.  Let  h  G  Hi.  Prj’f/i]  Prp[A]  =  Vrp[Ah]. 

Proof.  Recall  that  the  behaviour  of  P*  is  entirely  determined  by  the  random  messages  generated 
by  Let  us  consider  a  complete  binary  tree  T  of  depth  nd  that  represents  all  possible  length  nd 
random  bit-strings  generated  by  T^2\  Then  every  partial  execution  of  P*  corresponds  to  a  node  in 
T  based  on  the  verifier  messages  received  so  far  by  P*  in  h. 

Let  us  focus  on  the  leaf  nodes  in  T  since  they  occur  with  equal  probability.  Given  h,  define 
L(h )  to  be  the  set  of  leaf  nodes  in  T  that  are  a  children  of  h;  these  nodes  corresponds  to  possible 
completions  of  h.  We  also  define  G(h )  to  be  the  subset  of  L{h )  that  corresponds  to  successful 
completions  of  h  (i.e.  leaves  where  the  event  Ah  is  true).  Finally  let  L$  =  L(0)  be  all  the  leaf  nodes, 
and  Go  =  G(0)  be  the  subset  of  Lq  that  corresponds  to  executions  where  P*  produces  an  accepting 
transcript. 

Recall  that  our  goal  is  to  prove  that 

Pr T[h]  Pr P[A]  =  Pr P[Ah]  . 


Clearly 


Ftp[a]=1Tu  PrH^]  = 


\G(h)\ 

\Ln\ 


(1) 


To  expand  Prp[/i],  let  hi,  /12,  •  •  • ,  hi,  hi  =  h  be  the  prefixes  of  h  given  to  T ^  in  previous  steps  of 
previous  iterations.  As  we  see  below,  the  expression  for  Prp [/;]  telescopes: 


Pr  T[h\  =  PrT[/ii]  Pit  [he  \  he- 1]  PrT[he  |  he] 

1=2 

\GChi)\^r  \G(he)\  \G(he)\ 

|G0|  f}2\G(he-i)\\G(he)\ 

\Gm  =  \cm\  m 

|G0|  |Go|  1  j 

Equations  (1)  and  (2)  together  gives  the  claim.  □ 

Now  we  bound  the  expected  number  of  samples  needed  to  find  a  successful  completion. 
Lemma  6.  Kt[Ri]  <  pq. 

Proof.  First  expand  [/?,;]  by  conditioning  on  the  transcript  h  hxed  in  Step  1: 

E t[Ri]  =  J2  ?*T[h}MRi  I  h]  (3) 

he  Hi 

Recall  that  in  Step  2,  T^)  samples  random  completions  of  h  until  a  successful  completion  is  found. 
Therefore 

=  ivewi  ^  Et™  =  S  (4) 

heR 
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By  expanding  the  RHS  of  Claim  5  and  rearranging  terms,  we  have 

Ppr[h]  Prp[j4]  =  Pip[Ah]  =  Prp[/i]  Pvp[Ah  \  h] 

=*■  Prr['llPrF[l'.  I  h]  =  Prp['*1P^iIi  5  pPrp['*1 

since  we  assumed  Prp[A]  >  1/p.  Substituting  this  back  into  (4)  gives 

MRi]  <pE  PrH^] 

h&Hi 


(5) 


Finally,  we  may  break  up  the  set  Hi  based  on  the  length  of  h  which  ranges  from  1  to  q  (where 
length  is  the  number  of  P*-queries).  Since  each  transcript  of  P*  has  exactly  one  length  £  prefix: 


1 Et[-Ri]  <  P  E  E  Prp[/t]  <  p  E  i  =  pq 

e=1  heHi,\h\=e 


i=i 


□ 


Finally,  we  show  that  100k2pq  random  completions  are  enough  for  T^2/ 

Lemma  7.  aborts  with  probability  at  most  1/5. 

Proof.  Since  E t[Ri]  =  Ylh  Prr[^?:]ET[-Rj  |  h/\  =  Ep[Ep[i?*  |  hi}\  <  pq,  the  Markov  inequality 
states  that  the  probability  of  T ^  fixing  an  hi  such  that  E t[R%  I  hi]  >  10 kpq  is  at  most  l/(10fc). 
For  each  “good”  hi  where  E p[Ri  \  hf  <  10 kpq,  we  apply  the  Markov  inequality  again  to  obtain 
Pr t[Ri  >  100 k2pq  \  hi]  <  1/(10 k).  Using  the  union  bound  we  see  that  in  any  iteration,  T ^  aborts 
in  Step  1  with  probability  at  most  1/(5 k).  A  final  union  bound  over  k  iterations  of  Step  2  shows 
that  aborts  overall  with  probability  at  most  1/5.  □ 


Hybrid  3.  Our  third  and  final  hybrid  T ®  =  T  differs  from  T ®  in  Step  1  of  each  iteration.  Recall 
that  some  session  J  is  chosen  randomly  as  the  forwarding  session.  Instead  of  generating  v\  in  Step 
1,  T ^  asks  the  external  honest  verifier  V  for  a  verifier  message.  Because  II  is  public-coin,  T ^  can 
continue  to  complete  partial  transcripts  of  P*  even  if  session  J  is  forwarded  to  V  externally. 

Given  transcript  hi  =  [ti,  si, . . . ,  S£  =  r*]  in  iteration  i,  T  ?h  forwards  session  J  of  n  to  V .  and 
uses  the  response  from  V  as  v®  in  Step  2. 2  Suppose  for  now  that  does  not  abort  and  terminates 
successfully.  Then  P*  would  have  generated  an  accepting  transcript  r  of  Hm .  Since  T\, ...  ,Tk  are 
prefixes  of  r,  session  J  of  r  would  be  an  accepting  transcript  of  II  consisting  of  forwarded  prover 
messages  and  responses  from  V.  This  breaks  the  soundness  of  II. 

Therefore,  it  remains  to  show  that  is  successful  with  probability  more  than  1/2.  We  will  use 
Raz’s  lemma  [Raz98,  Claim  5.1]  in  analogy  with  [IJK07,  HPWP10]  to  show  that  u®  as  generated 
by  T O  and  is  actually  very  close  to  the  uniformly  random  messages  generated  by  the  honest 
verifier  V.  First  we  cite  Raz’s  lemma  as  it  appears  in  [Hol07,  Lemma  5]: 

Lemma  8.  Let  {Uj}jGirrii  be  independent  random  variables  onU  with  probability  distribution  Pijj- 
Let  W  be  an  event  in  lAm  and  Pr[IF]  be  measured  according  to  the  joint  probability  distribution 
Ft jPijj.  Then 

f>(iy w.Uj)  <  E°g(p^) 

2  Strictly  speaking,  the  interaction  between  T ^  and  the  honest  verifier  V  is  non-resetting.  Therefore,  instead  of 
forwarding  session  J  of  query  n  to  V .  T(3^  simply  sends  the  last  prover  message  in  session  J  of  the  query  r,  to  V .  For 
ease  of  exposition,  we  continue  to  use  the  phrase  forwards  the  query  n”  to  mean  the  above. 
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where  A  is  the  statistical  distance  between  distributions,  and  Uj\W  is  the  jth  component  of  an 
element  inlAm  chosen  based  on  the  joint  probability  distribution  HjPjj.,  conditioned  on  W. 

In  other  words,  let  {Uj}.  be  independent  random  variables,  and  let  W  be  an  event  over  HjUj. 
If  W  occurs  with  high  probability  and  there  are  many  Uj,  then  on  average  over  j ,  sampling  Uj 
conditioned  on  W  does  not  differ  much  from  simply  sampling  Uj.  Lemma  8  allows  us  the  bound 
the  change  in  success  probability  when  T-:b  forwards  messages  from  a  random  session  to  V . 

Lemma  9.  T':b  fails  with  probability  at  most  3/10  +  0(1/ log  n). 

Proof.  We  first  construct  a  series  of  finer  hybrids,  T\, . . . ,  T/+i,  where  T  proceeds  as  T U)  until  the 
start  of  iteration  i  (no  forwarding),  and  continues  as  T ^  afterwards  (with  forwarding)3.  Observe 
that  Ti  =  T(3)  and  Tk+1  =  T&) . 

Consider  two  neighboring  hybrids,  Ti  and  Tl+\ ,  which  differ  only  in  iteration  i.  Let  h  be  the 
partial  execution  given  in  iteration  i.  For  j  e  [m],  let  Uj  be  the  random  variable  that  denotes  all  the 
additional  session  j  messages  sent  by  T  to  randomly  complete  h,  i.e. ,  {Uj}.  are  independent  and 
uniformly  random.  Let  Wh  be  the  event  that  the  random  messages  U\, . . . ,  Um  together  produced 
a  successful  completion  of  h.  By  definition,  the  distribution  of  produced  by  Tt+\  (i.e.,  T Ul)  is 
just  the  hrst  message  of  Uj\Wh.  On  the  other  hand,  the  distribution  of  vf*  produced  by  T)  (i.e., 
T^))  is  just  the  uniform  distribution,  just  like  the  hrst  message  of  Uj. 

(n). 

Since  T,_i  and  T*  only  differ  in  how  v-  is  produced,  their  difference  in  success  probability  can 

(i) 

be  bounded  by  the  statistical  difference  in  the  distributions  of  r  .  This  is  in  turn  bounded  by: 


m 

EE  Pr T[h\  Pr [j  =  j]A(Uj\Wh,  Uj)  =£  PrT[h] 

hEHij=l  h^Hi 


Lemma  8  states  that  for  any  event  W, 


1 

m 


EA(^il  W,Uj) 

3= 1 


< 


(*) 


Observe  that  before  iteration  i,  Ti  and  Tj+ 1  are  identical  to  T^2\  When  T^  does  not  abort,  T^ 
is  identical  to  T^h  In  that  case,  Lemma  6  along  with  the  Markov  inequality  implies  that  except 
with  probability  l/(10fc),  T^  hxes  a  “good”  h  with  E r[Ri  \  h]  <  10 kpq,  so  that 


Pr [Wh]  =  Pr P[Ah  |  h] 


1 

Et  \Ri  |  h] 


> 


1 

10  kpq 


We  can  now  break  the  sum  in  (*)  into  two  parts.  Observe  that 


bad 


E  ^Tlh)\f'Z^(Uj\W\Uj))<  Y.  N*l<  s 

h  a  Hi  \  3= i  J  bad  he  Hi 


3This  still  makes  sense  since  II  is  a  public-coin  protocol;  the  outside  verifier  can  directly  generate  a  verifier  response 
lor  any  round  of  the  protocol. 
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since  statistical  distances  are  upper  bounded  by  1,  and 


/  m 

good  h  G  Hi  \  i=1 

<  Pryl/il'i/—  log(10£;p</)  < 

'  y  m 

good  /i  G  Hi 


—  log(10  kpq) 
m 


since  YlheH-  PbrM  =  1-  Together,  they  show  that  (*)  is  at  most 

m  +  \H log  (10iOT)  =  Wk+°  ( wfe) 

since  ?n  >  k 2  log2  n.  Summing  up  over  the  hybrids,  and  recalling  that  fails  with  probability  at 
most  1/5  (Lemma  7),  T®  fails  with  probability  at  most 


1 

5 


+  k 


k\J  log  n 


<  — +  o 
“  10 


\/log  n 


□ 


Lemma  9  shows  that  T  is  successful  with  probability  >1/2,  and  completes  the  proof  of  Lemma  4. 

□ 

Remark.  As  with  most  lower  bounds  for  black-box  zero-knowledge,  a  careful  reading  reveals  that 
Theorems  1  and  2  also  apply  to  more  liberal  definitions  of  zero-knowledge,  such  as  e-zero-knowledge4 
[DNS04]  and  zero-knowledge  with  expected  polynomial  time  simulators. 


4  Public-Coin  Zero-Knowledge  in  the  Bare  Public  Key  Model 

Many  setup  assumptions  have  been  used  to  construct  concurrent  zero-knowledge  with  better  effi¬ 
ciency  than  the  standard  model.  For  example,  in  the  CRS  (common  reference  string)  model,  even 
non-interactive  zero-knowledge  is  possible  [FLS90].  Other  “weaker”  setups  have  produced  varying 
results,  and  we  will  be  concentrating  on  the  bare  public  key  model. 

In  the  Bare  Public-Key  (BPK)  model  [CGGM00],  every  player  has  a  public  key  that  can  be 
accessed  by  any  other  player.  When  a  protocol  is  repeated  in  parallel,  we  assume  that  the  honest 
parties  use  fresh  independent  public  keys  for  each  parallel  session.  By  assuming  that  all  public 
keys  are  properly  registered  before  a  protocol  begins,  Canetti,  Goldreich,  Goldwasser  and  Micali 
[CGGM00]  showed  that  constant-round,  private-coin  arguments  exist  for  NP  even  if  we  require  black¬ 
box  resettable  zero-knowledge,  a  property  that  implies  black-box  concurrent  zero-knowledge.  In 
constrast,  in  the  plain  model,  O(logn)  rounds  are  required  for  concurrent  black-box  zero-knowledge 
proofs  [CKPR01].  It  is  therefore  natural  to  ask  if  the  BPK  setup  can  overcome  our  lowerbound  for 
public-coin  zero-knowledge  protocols. 

In  this  section  we  extend  our  impossibility  result  from  Sect.  3  to  the  BPK  model.  We  actually 
extend  our  result  to  a  larger  class  of  slightly- private-coin  protocols,  defined  with  the  following 
properties: 

1.  The  first  message  of  the  protocol,  from  the  verifier,  is  allowed  to  be  private  coin.  All  other  sub¬ 
sequence  verifier  messages  are  public-coin,  i.e.,  independent  segments  of  the  verifier’s  random 
tape. 

4In  e-zero-knowledge,  the  indistinguishability  gap  between  the  view  of  V*  and  the  view  generated  by  the  simulator 
is  allowed  to  be  an  inverse  polynomial,  as  opposed  to  negligible. 
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2.  At  the  end  of  the  protocol,  the  verifier  may  run  a  private  coin  algorithm  to  accept  or  reject 
the  interaction.  In  particular,  the  verifier’s  decision  may  depend  on  the  private  coins  used  to 
generate  the  first  message. 

Note  that  every  public-coin  protocol  in  the  BPK  model  can  be  transformed  into  a  slightly-private- 
coin  protocol,  because 

1.  The  verifier  can  send  its  public  key  to  the  prover  in  the  first  message  (property  1). 

2.  The  verifier  can  base  its  acceptance  decision  on  its  secret  key  (property  2). 

Our  modified  theorem  is  the  following: 

Theorem  10.  Suppose  language  L  has  a  k  =  poly {n)-round  slightly-priv ate- coin  black-box  zero- 
knowledge  argument  II  with  negligible  soundness  error  in  n.  If  m  >  ( k 2  log2  k)  log2  n  and  II"1  is 
zero-knowledge,  then  L  €  BPP. 

Recall  that  in  the  analysis  of  Theorem  2,  we  treat  the  black-box  zero-knowledge  simulator  S  as 
a  resetting  prover  P*  of  ( Pm ,  V*),  and  use  P*  to  construct  a  machine  T,  which  in  turn  contradicts 
the  soundness  of  II.  We  now  have  a  problem  whenever  T  needs  to  sample  a  successful  completion 
of  a  partial  transcript  of  P* ,  since  T  does  not  know  whether  the  external  verifier  V  would  accept 
or  reject  the  transcript  produced  by  P* .  To  overcome  this  problem,  we  follow  an  approach  similar 
to  [BIN97,  HPWP10]  by  guessing  whether  V  would  accept  or  reject  based  on  whether  the  other 
verifiers,  simulated  by  T,  accept  or  reject  their  respective  parallel  sessions. 

Proof.  We  extend  the  analysis  of  Theorem  2  in  analogy  with  [HPWP10].  We  first  describe  how  T 
guesses  if  V  accepts  or  rejects  in  the  forwarded  session  j.  Whenever  T  completes  a  partial  execution 
of  P*,  let  Z-j  be  the  number  of  sessions,  excluding  session  J,  in  which  S  produced  a  rejecting  view. 
We  exclude  session  j  for  the  aforementioned  reason  that  without  knowing  the  private  key  (or  private 
coins)  of  the  external  verifier  V,  T  cannot  tell  if  V  will  accept  or  reject  the  view. 

Let  W-j  be  a  Bernoulli  random  variable  with  Pr[u>_j  =  1]  =  2~uz~k  where  v  is  an  asymptotically 
small  parameter  to  be  determined  later,  W- j  corresponds  to  T’s  guess:  If  W-j  =  1,  T  will  consider 
the  completion  successful,  and  vice  versa.  Intuitively,  T  is  more  likely  to  consider  a  completion  as 
a  success  if  the  number  of  rejecting  sessions  is  fewer. 

To  facilitate  the  analysis,  we  also  consider  a  hypothetical  but  more  symmetric  process.  Given  a 
transcript  generated  by  P* ,  let  z  be  the  number  of  sessions,  including  session  J,  in  which  P*  produced 
a  rejecting  view.  Similarly,  let  w  be  the  Bernoulli  random  variable  with  Pr[rc  =  1]  =  2~uz . 

We  now  prove  Theorem  10  with  the  same  framework  as  Theorem  2,  using  the  following  modified 
hybrids.  Hybrids  T^,  T ^  and  T ®  are  constructed  as  before,  except  they  now  compute  2:  and  w 
to  determine  if  a  completion  is  successful.  The  final  machine,  T,  differs  from  T ^  by  computing  Z-j 
and  W-j  instead. 

Claim  11.  The  pi^obability  that  generates  a  rejecting  view  in  session  j  is  at  most: 

3  /-tog^+  A 

m  \  v  J 

Proof.  The  proof  of  this  claim  essentially  follows  from  an  analysis  in  [HPWP10]  (which  contained 
more  general  parameters).  For  the  sake  of  completeness,  we  include  their  analysis  without  the  extra 
parameters  here. 
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Before  introducing  the  public  key  extension,  T ^  simply  samples  a  random  successful  transcript 
of  P*  (see  Claim  5).  After  adopting  the  new  notion  of  success  based  on  w,  T ^  now  samples  a 
random  transcript  of  P*  conditioned  on  tu  =  1.  That  is,  T- 1  outputs  a  transcript  of  P*  that 
generates  rejecting  views  in  j  sessions  with  probability  proportional  to  2~UJ . 

Since  T W  chooses  j  randomly,  it  is  enough  to  bound  the  expected  number  of  rejecting  sessions. 
Let  pj  be  the  probability  that  in  a  random  execution  of  P* ,  the  output  view  contains  j  rejecting 
sessions.  Then,  the  expected  number  of  rejecting  verifiers  is 


E?=0p^ 


(6) 


[HPWP10]  gives  a  bound  of  (6)  with  more  general  parameters.  For  the  sake  of  completeness,  we 
include  their  analysis  below  without  the  extra  parameters. 

Recall  that  by  assumption,  P*  generates  an  output  view  in  which  all  sessions  accept  with 
probability  at  least  1/3.  Therefore  we  can  lower  bound  the  denominator  of  (6)  by 


Y^Pj2^3  >  Po  >  1/3  • 

3=0 


To  upper  bound  the  numerator,  we  use  the  following  inequality: 

2~v  ^  1  ^4 

(1  -  2~v)2  ~  (1  -  2~u)2  ~  pi 

The  last  inequality  follow  from  the  fact  that  1  —  2~v  >  v j2  for  small  v.  Directly  apply  this  bound  to 
the  numerator  (using  pj  <  1)  gives  an  overly  loose  bound  since  v  is  asymptotically  small.  Instead, 
we  split  the  expression  of  the  numerator  at  some  parameter  t: 


J-0 


m  m  m—t 

’Em*-*  S  +  E*+)r’w 

3=0  j= o  j= 1 

<  t  +  4 2 -ut  ■ 

Setting  t  =  —  log  v2 /v,  we  see  that  the  expected  number  of  rejecting  verifiers  is  at  most 


Since  chooses  j  uniformly  from  {1, . . . ,  k},  the  probability  that  T ^  outputs  a  view  that  rejects 
in  session  j  is 


m  \ 


□ 


Lemma  12.  The  probability  that  T aborts  is  at  most  1/5.  Otherwise,  the  output  of  T ^  is 
identical  to 


Proof.  By  computing  w  and  z,  there  are  now  more  “successful”  executions  than  before  (originally, 
only  executions  where  z  =  0,  i.e. ,  no  rejecting  sessions,  are  successful).  Therefore,  T ^  now  aborts 
with  less  probability  than  before,  which  is  bounded  by  1/5  (Lemma  7).  □ 


17 


Lemma  13.  T i3'  fails  to  produce  an  accepting  view  in  session  j  with  probability  at  most 


3 

m 


+  —  +  0 
10 


logn 


Proof.  This  follows  from  Claim  11,  and  by  applying  Raz’s  lemma  in  the  same  manner  as  in  Lemma  9. 

□ 


Lemma  14.  The  output  of  and  T  diffei^s  statistically  by  at  most  kv. 

Proof.  T-3-1  and  T  differs  in  how  a  successful  completion  is  recognized.  For  any  completion,  the 
difference  in  probability  of  it  being  considered  successful  by  T ^  and  T  is: 

Pr[tc_j  =  1]  -  Pr[u;  =  1]  =  2~vz~3  -  2~vz  <  -  2~uz  <  1  -  2~v  <  v  . 

For  each  round  of  protocol  II,  T ^  and  T  repeatedly  perform  the  same  task  (completing  partial 
transcript  of  S)  until  w  =  1  or  W-j  =  1,  respectively.  Therefore  the  statistical  difference  between 
the  two  process  is  at  most  ku.  □ 


Combining  Lemma  13  and  14,  we  see  that  T  fails  to  break  the  soundness  of  II  with  probability 
at  most 


3 

m 


—  log  vl 


+  4)+Io  +  0 


1 


\/log  n 


+  kv 


By  setting  v  =  1  / Vkm ,  the  expression  becomes 


k  .  ,,  ,  12  3  „ 

log(fcm)  H - h  —  +  O 

m  m  10 


\/log  n 


+ 


Since  m  >  k 2  log2  k  log2  n,  we  conclude  that  T  fails  with  probability  at  most  3/10  +  o(l).  That  is, 
T  succeeds  with  non-negligible  probability,  contradicting  the  soundness  of  IT.  □ 


5  Public-Coin  Bounded  Concurrent  Zero-Knowledge 

In  this  section  we  give  a  family  BoundedConcZK  of  public-coin  proofs  for  NP,  parametrized  by 
k.  The  proof  with  parameter  k  has  2/c3  +  4  rounds,  and  is  ^-bounded  concurrent  zero-knowledge 
assuming  the  existence  of  one-way  functions,  whenever  k  =  cj(logn)  where  n  is  the  input  size. 
BoundedConcZK  requires  the  use  of  statistically  hiding  commitment  schemes. 

5.1  Commitment  Schemes 

Commitment  protocols  allow  a  sender  to  commit  itself  to  a  value  while  keeping  it  secret  from  the 
receiver ;  this  property  is  called  hiding.  At  a  later  time,  the  commitment  can  only  be  opened  to 
a  single  value  as  determined  during  the  commitment  protocol;  this  property  is  called  binding. 
Commitment  schemes  come  in  two  different  flavors,  statistically  binding  and  statistically  hiding;  we 
only  make  use  of  statistically  binding  commitments  in  this  paper.  Below  we  sketch  the  properties 
of  a  statistically  binding  commitment;  full  definitions  can  be  found  in  [GolOl] . 

In  statistically  binding  commitments,  the  binding  property  holds  against  unbounded  ad¬ 
versaries,  while  the  hiding  property  only  holds  against  computationally  bounded  (non-uniform) 
adversaries.  The  statistical-binding  property  asserts  that,  with  overwhelming  probability  over  the 
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randomness  of  the  receiver,  the  transcript  of  the  interaction  fully  determines  the  value  committed 
to  by  the  sender.  The  computational-hiding  property  guarantees  that  the  commitments  to  any  two 
different  values  are  computationally  indistinguishable. 

Non-interactive  statistically-binding  commitment  schemes  can  be  constructed  using  any  one-to- 
one  one-way  function  (see  Section  4.4.1  of  [GolOl]).  Allowing  some  minimal  interaction  (in  which 
the  receiver  first  sends  a  single  random  initialization  message),  statistically-binding  commitment 
schemes  can  be  obtained  from  any  one-way  function  [Nao91,  HILL99]. 

5.2  A  Bounded  Concurrent  Public-Coin  ZK  Protocol 

Our  construction  of  BoundedConcZK  is  similar  in  spirit  to  the  concurrent  zero-knowledge  pro¬ 
tocol  of  [RK99].  Given  a  language  L  €  NP  and  a  parameter  k,  we  construct  a  two  stage  public-coin 
proof  ( P ,  V)  as  follows.  In  stage  one,  2A:3  rounds  of  messages  are  exchanged  where  in  each  round, 
the  prover  gives  a  statistically  binding  commitment  of  a  random  bit  pi,  and  the  verifier  responds 
with  a  random  bit  vf,  we  call  pi  =  Vi  a  correct  guess  (note  that  unlike  [RK99],  the  verifier  does 
not  commit  to  the  bits  Vi).  In  stage  two,  ( P ,  V)  runs  a  4-round  public-coin  witness  indistinguishable 
proof  of  the  modified  NP  statement  “either  x  £  L  or  that  pi  =  vt  for  A;3  +  k2/ 2  values  of  i”,  where 
x  is  the  problem  instance.  This  can  be  instantiated  with  a  parallel  repetition  of  the  Blum  Hamil- 
tonicity  protocol  [Blu86]  with  2-round  statistically  binding  commitments  constructed  from  one-way 
functions.  The  verifier  accepts  if  the  prover  is  successful  with  the  stage  two  proof. 


Protocol  BoundedConcZK 

Common  Input:  An  instance  a:  of  a  language  L  £  NP  and  a  parameter  k. 

Stage  One:  For  i  from  1  to  2k3: 

:  Commit  to  a  random  bit  pi  using  a  statistically  binding  commitment. 

V  — >  P  :  Reply  with  a  random  bit  ty. 

Stage  Two:  A  4-round  public-coin  witness  indistinguishable  proof  (e.g.,  parallel  repetitions  of 
the  Blum  Hamiltonicity  protocol  [Blu86])  of  the  NP  statement: 

f there  exist  distinct  ii, . . . ,  ik3+  ik2  s.t.  pij  =  Vij  for  all  j)  V  (x  €  L) 


Figure  2:  Our  public-coin  black-box  bounded  concurrent  zero- knowledge  protocol. 

We  choose  2A;3  rounds  of  interaction  in  Stage  One  of  BoundedConcZK  for  the  following  two 
reasons.  First,  by  the  Chernoff  bound,  we  expect  that  no  adversarial  prover  can  have  more  than 
k3  +  O^Vk3)  correct  guesses.  Hence  BoundedConcZK  is  sound.  On  the  other  hand,  a  zero- 
knowledge  simulator  can  repeatedly  rewind  the  verifier  until  it  gets  a  correct  guess.  Intuitively 
(and  shown  formally  later),  in  each  round  of  stage  one,  the  simulator  can  set  one  extra  pi  =  Vi  for 
some  session,  in  addition  to  “natural  luck”  (that  gives  correct  guesses  for  half  of  the  sessions).  Since 
the  number  of  sessions  is  bounded  by  k,  the  simulator  is  able  to  have  k3  +  0(k3/k)  =  k3  +  0(k2) 
correct  guesses  per  session.  This  provides  the  simulator  with  a  trapdoor  to  simulate  stage  two  of  the 
protocol,  and  hence  BoundedConcZK  is  bounded  concurrent  zero-knowledge.  We  remark  that  k3 
was  chosen  for  the  sake  of  simplicity  and  is  not  optimized.  We  show  completeness  and  soundness 
below. 

BoundedConcZK  is  clearly  complete.  A  prover  given  a  correct  problem  instance  and  witness 
pair,  ( x  €  L,w ),  can  commit  to  random  bits  in  stage  one,  and  use  w  to  successfully  complete  the 
stage  two  proof. 


19 


We  next  show  that  BoundedConcZK  has  negligible  soundness  error.  Suppose  x  (f  L.  Then 
there  are  two  ways  for  the  prover  to  mislead  the  verifier: 

1.  The  prover  may  have  p%  =  vt  for  k 3  +  k2/ 2  (or  more)  values  of  i  either  by  breaking  the 
binding  property  of  the  commitment,  or  by  guessing  luckily.  The  former  occurs  with  negligible 
probability  since  the  commitment  is  statistically  binding.  The  latter  occurs  with  probability 
e-fc/4  ky  Chernoff  bound5. 

2.  Otherwise,  the  prover  may  break  the  soundness  of  the  stage  two  proof,  which  occurs  with 
probability  at  most  2~k  due  to  the  parallel  repetitions. 

Since  k  =  w(logn),  both  e~k /4  and  2~k  are  negligible  in  n. 

5.3  Black-Box  Bounded  Concurrent  Zero-Knowledge 

We  construct  a  black  box  simulator  S  such  that  given  an  adversarial  verifier,  V* ,  iv  generates 
the  view  of  V*  in  BoundedConcZK,  provided  that  the  number  of  concurrent  sessions  m  satisfies 
m  <  k.  The  goal  of  S  is  to  obtain  as  many  correct  guesses  as  possible  by  rewinding  V* .  Towards 
that  goal,  S  employs  a  simple  greedy  strategy  to  incrementally  generate  and  fix  a  partial  view  of  V*. 
Whenever  V*  sends  S  a  first  stage  message  Vi,  S  checks  if  it  had  guessed  correctly  when  committing 
to  pi-  If  so,  S  lengthens  the  partial  view  of  V*  to  include  this  correct  guess.  Otherwise,  S  rewinds  V* 
back  to  the  previously  generated  partial  view.  This  “incremental  strategy”  is  somewhat  reminiscent 
of  [Lin03],  but  since  our  protocol  is  public-coin,  the  actual  analysis  is  quite  different.  Additionally, 
we  take  care  to  always  simulate  the  stage  two  proof  in  a  straight  line  fashion  without  rewinds,  so 
that  we  may  use  a  simple  hybrid  argument  to  show  the  zero-knowledge  property. 

We  use  superscripts  to  distinguish  messages  from  different  sessions.  To  prevent  S  from  focusing 
too  much  on  one  particular  session,  we  keep  m  counters,  c1, . . . ,  cm,  to  record  how  much  “work”  has 
been  done  in  each  session.  In  general,  S  proceeds  as  follows  to  incrementally  fix  the  view  (originally 
the  empty  view  is  fixed).  When  asked  to  provide  a  prover  message: 

1.  S  commits  to  a  fresh  random  bit  for  each  stage  one  prover  message. 

2.  For  each  stage  two  proof,  S  aborts  if  in  this  session,  pi  =  Vi  for  less  than  k 3  +  A;2/ 2  values  of 
i.  Otherwise,  S  uses  this  as  a  witness  to  generate  the  prover  messages  in  the  stage  two  proof. 

When  receiving  a  verifier  message: 

3.  If  S  receives  a  message  v |  (from  session  j)  and  c?  <  2k2,  it  checks  if  the  commitment  to  p2  is 
part  of  the  fixed  partial  view.  If  yes,  S  simply  continues,  “giving  up”  on  this  guess.  Otherwise, 
S  checks  if  p j  =  vj.  If  yes,  S  extends  the  fixed  partial  view  up  to  message  vj  and  increments 
cJ ;  in  this  case  we  say  vj  is  rigged.  If  p]  vj,  then  S  rewinds  V*  to  start  a  fresh  continuation 
from  the  previously  fixed  partial  view. 

4.  If  S  receives  the  second  stage  two  verifier  message  from  any  session  (e.g.,  the  challenge  message 
of  the  Blum  Hamiltonicity  protocol),  it  extends  the  fixed  partial  view  up  to  the  just  received 
verifier  message.  As  a  consequence,  all  stage  two  proofs  are  simulated  by  S  in  a  straight-line 
fashion  without  rewinds. 

'Here  we  use  the  following  form  of  Chernoff  bound.  If  {W}  are  i.i.d.  satisfying  Pr[A4  =  0]  =  Pr[X,  =  1]  =  1/2, 
then  Pi'Efci  xi  >  n /2  +  a]  <  e-2“2/n 
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5.  If  S'  has  performed  k  —  1  rewinds  without  rigging  a  message  or  encountering  a  stage  two 
verifier  message,  and  on  the  kth  try  again  receives  vj  7^  p)  where  jf  is  not  hxed  and  <  2k2, 
S  simply  gives  up  and  pretend  to  rig  vj  anyway  (albeit  incorrectly).  That  is,  S  extends  the 
fixed  partial  view  up  to  message  vj  and  increments  cJ . 

The  next  two  claims  show  that  S  is  a  fc-bounded  black-box  zero-knowledge  simulator  when  k  E 
a;  (log  n). 

Claim  15.  S  runs  in  (strict)  polynomial  time. 

Proof.  S  performs  at  most  km(2k2)  rewinds,  which  is  polynomial  in  n.  □ 

Claim  16.  If  x  E  L  and  m  <  k,  Sv*(x,z )  and  View y*(x,z)  are  computationally  indistinguishable 
over  n. 

Proof.  We  introduce  a  series  of  hybrids. 

Hybrid  1.  Our  first  hybrid  S±  is  given  witness  w  to  the  statement  x  E  L.  S\  proceeds  identically 
as  S  until  a  stage  two  proof  is  reached.  Si  aborts  if  S  aborts,  but  uses  the  witness  w  instead 
of  the  various  pf  s  to  complete  the  stage  two  proof.  Even  though  S  performs  many  rewinds,  S 
never  rewinds  a  partial  stage  two  proof.  Therefore,  Sv^(x,z)  and  S±(x,z)  are  computationally 
indistinguishable  because  the  stage  two  proof  is  witness  indistinguishable. 

Hybrid  2.  Our  second  hybrid  S2  is  identical  to  Si  except  that  it  samples  two  random  bits  for 
each  stage  one  commitment  pt  and  q,.  S2  commits  to  pi,  but  checks  Vi  against  c/j.  Since  S\ 
gives  polynomially  many  commitments  and  run  in  polynomial  time,  and  since  each  commitment  is 
computationally  hiding  and  independent  from  the  rest  of  the  execution  of  Si  (stage  two  proofs  are 
provided  using  w),  S\*(x,z)  and  S^*(x,  z)  are  computationally  indistinguishable. 

Hybrid  3.  Our  third  hybrid  S3  is  identical  to  S2  except  that  S3  always  gives  a  stage  two  proof 
using  witness  w  even  if  S2  aborts.  To  see  that  S)f*(x,  z)  and  S'g  (x,  z)  are  computationally  indistin¬ 
guishable,  it  suffices  to  show  that  S2  aborts  with  negligible  probability. 

Observe  that  whenever  S  extends  the  fixed  partial  view  (either  by  rigging  a  commitment,  or  by 
encountering  a  verifier  challenge  in  a  stage  two  proof),  at  most  one  commitment  from  each  session 
with  less  than  2k2  rigged  messages  is  fixed  as  part  of  the  simulator  output.  This  is  because  before 
encountering  a  second  commitment  in  any  session,  S  would  first  try  to  rig  the  first  commitment. 
For  each  session,  S  rigs  at  most  2 k2  stage  one  commitments  and  encounter  at  most  one  stage  two 
verifier  challenge.  Therefore,  the  number  of  commitments  fixed  per  session  without  rigging  is  at 
most  (k  —  l)(2k2  +  1)  =  2k3  —  (2k2  —  k  +  1) .  In  other  words,  every  session  will  have  at  least  2k2  —  k+1 
commitments  rigged. 

We  now  show  that  except  with  negligible  probability,  S2  will  have  k3  +  k2 / 2  correct  guesses  per 
session.  Recall  that  the  guesses  of  S2,  qi,  are  independent  from  V*’s  responses  since  these  guesses 
play  no  part  in  the  commitments  sent  to  V*.  Therefore,  except  with  probability  poly(n)2~fc,  every 
rigged  commitment  is  a  correct  guess.  Next,  for  the  2k 3  —  (2k2  —  k  +  1)  >  2k3  —  2k2  messages 
that  are  not  rigged,  we  apply  the  Chernoff  bound  to  see  that  except  with  probability  e~°^k\  we 
should  have  at  least  (k3  —  k2)  —  k2/ 4  =  k3  —  5k2 /4  correct  guesses.  Thus,  except  with  negligible 
probability6,  we  have  a  total  of  (k3  —  5k2 /4)  +  (2k2  —  k  +  1)  >  k3  +  k2 / 2  correct  guesses  as  desired. 

Final  step.  S3  is  now  identical  to  P  (sends  identically  distributed  messages)  except  that  it  may 
rewind  V  during  the  execution.  But  S3  only  rewinds  if  qi  7^  v^,  an  event  independent  from  the 
protocol  execution.  Therefore  S^(x,z)  is  identical  to  View y*(x,z).  This  concludes  the  proof.  □ 

®Recall  again  that  2~k  and  e~° ^  are  negligible  in  n  since  k  =  iv(logn). 
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6  Application  to  Resettably- Sound  Arguments 

In  this  section  we  show  how  to  achieve  more  general  notions  of  resettable  soundness  that  were  not 
required  for  our  main  theorem.  First,  we  need  an  argument  of  knowledge  as  a  building  block. 

6.1  Proofs  and  Arguments  of  Knowledge 

Loosely  speaking,  an  interactive  proof  is  a  proof  of  knowledge  if  the  prover  convinces  the  verifier 
that  it  possesses,  or  can  feasibly  compute,  a  witness  for  the  statement  proved. 

Definition  6  (Proof  of  knowledge  [BG92]).  An  interactive  protocol  II  =  (P,  V)  is  a  proof  of 
knowledge  (resp.  argument  of  knowledge)  of  language  L  with  respect  to  witness  relation  Rl  if 
II  is  indeed  an  interactive  proof  (resp.  argument)  for  L.  Additionally,  there  exists  a  polynomial  q,  a 
negligible  function  u,  and  a  probabilistic  oracle  machine  E,  such  that  for  every  interactive  machine 
P*  (resp.  for  every  polynomially-sized  machine  P*)  and  every  x  G  L,  the  following  holds: 

1.  If  Pr[(P*,  V)  (x)  =  1]  >  i/(|a:|),  then  on  input  x  and  oracle  access  to  P*{x),  machine  E  outputs 
a  string  from  the  Rl(x)  within  an  expected  number  of  steps  bounded  by 

_ g(  M) _ 

Pr[(P*,  V)  ( x )  =  1]  —  zz(|.x|) 

The  machine  E  is  called  the  knowledge  extractor. 

6.2  Resettably-sound  arguments 

[GK96a]  implicitly  shows  that  any  constant-round  public-coin  argument  is  fixed-input  resettably- 
sound  if  the  verifier  uses  a  pseudo-random  function  to  generate  its  messages.  [BGGL01,  Proposition 
3.5]  extends  the  analysis  to  show  that  any  constant-round  public-coin  argument  of  knowledge  for 
L  £  NP  is  a  (full-blown)  resettably-sound  argument  of  knowledge  of  L,  again  if  the  verifier  uses 
a  pseudo-random  function  to  generate  its  messages.  We  give  a  pair  of  analogous  theorems  below, 
based  on  our  techniques  in  Sect.  3. 

Theorem  17.  Let  II  =  (P,  V)  be  a  public-coin  argument  for  an  NP  language  L  with  negligible 
soundness  error.  Define  IIm  =  (Pm,  Vm )  to  be  m  parallel  repetitions  of  II  with  the  following 
modification:  Vm  will  sample  a  pseudo-random  function  f  at  the  beginning  of  the  protocol,  and 
construct  each  verifier  message  by  applying  f  to  the  prover  messages  received  so  far.  Then,  whenever 
m>  k2  log2  n,  IIm  is  a  fixed-input  resettably-sound  argument. 

Theorem  18.  Let  II  =  (P,  V)  be  a  public-coin  argument  of  knowledge  for  an  NP  language  L  with 
negligible  soundness  error.  Define  IIm  =  {Pm,  Vm)  similarly  to  Theorem  17.  Then,  whenever 
m  >  k 2  log2  n,  IIm  is  a  resettably-sound  argument  of  knowledge. 

Note  that  in  contrast  with  Sect.  3,  we  have  replaced  multi-wise  independent  hash-functions  with 
pseudo-random  functions.  This  is  because  a  resettably-sound  argument  needs  to  guard  against  all 
polynomial-time  resetting  attacks,  and  so  we  cannot  assume  a  universal  bound  on  the  running  time 
of  the  attacks. 

Proof  sketch  of  Theorem  1 7.  Suppose  some  polynomial  time  Pf,  breaks  the  fixed-input  resettable¬ 
soundness  property  against  Vm.  Let  Vm  be  a  hybrid  verifier  that  is  identical  to  Vm  except  that 
Vm  uses  a  truly  random  function  F  instead  of  a  pseudo-random  function  /.  Then,  by  the  property 
of  a  pseudo-random  function,  Pf,  also  breaks  the  fixed-input  resettable-soundness  property  against 
Vm.  Now,  the  techniques  of  Sect.  3.3  shows  how  to  to  construct  a  cheating  P*  based  on  Pfn  that 
contradicts  the  soundness  property  of  II.  This  gives  a  contradiction.  □ 
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Proof  sketch  of  Theorem  18.  We  use  the  same  techniques  as  [BGGL01].  Consider  using  the  same 
proof  sketch  as  Theorem  17.  It  is  easy  to  extend  the  techniques  of  Sect.  3.3  to  full-blown  resettable 
attacks  where  P^  selects  the  input  instances  adaptively.  The  main  subtlety,  as  pointed  out  by 
[BGGL01],  is  the  hybrid  argument  involving  the  pseudo-random  functions. 

We  need  to  show  that  if  P *  breaks  the  resettable-soundness  property  against  the  pseudo-random 
Vm,  then  it  should  also  break  the  resettable-soundness  property  against  the  truly  random  Vm.  The 
subtlety  here  is  that  a  computationally-bounded  distinguisher  cannot  determine  whether  P, ^  has 
completed  a  successful  resetting  attack  or  not,  because  it  cannot  determine  whether  the  x’s  chosen 
by  P*t  are  in  L  or  not.  To  overcome  this  obstacle,  we  require  II  to  be  an  argument  of  knowledge, 
i.e. ,  there  is  a  witness-extraction  algorithm.  We  may  then  apply  the  witness-extraction  algorithm 
to  P*  (constructed  from  Pfn)  to  determine  whether  the  input  instance  accepted  by  V  are  indeed  in 
the  language  L  or  not.  □ 
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